ace-git-secrets 0.13.0

data/lib/ace/git/secrets/commands/revoke_command.rb

@@ -0,0 +1,199 @@
+# frozen_string_literal: true
+
+module Ace
+  module Git
+    module Secrets
+      module Commands
+        # CLI command for revoking tokens via provider APIs
+        class RevokeCommand
+          # Execute revoke command
+          # @param options [Hash] Command options
+          # @return [Integer] Exit code (0=success, 1=partial/failure, 2=error)
+          def self.execute(options)
+            new(options).execute
+          end
+
+          def initialize(options)
+            @options = options
+          end
+
+          def execute
+            tokens = load_tokens
+            return 1 if tokens.nil?
+
+            if tokens.empty?
+              puts "No tokens found to revoke."
+              puts "Run 'ace-git-secrets scan' first to detect tokens."
+              return 0
+            end
+
+            # Filter by service if specified
+            services = @options[:service] ? [@options[:service]] : nil
+
+            revoker = Molecules::TokenRevoker.new
+            results = revoker.revoke_all(tokens, services: services)
+
+            # Display results
+            display_results(results)
+
+            # Return code based on results
+            if results.all?(&:success?)
+              0
+            elsif results.any?(&:success?)
+              1 # Partial success
+            else
+              1
+            end
+          rescue => e
+            puts "Error: #{e.message}"
+            puts e.backtrace.first(5).join("\n") if ENV["DEBUG"]
+            2
+          end
+
+          private
+
+          def load_tokens
+            if @options[:token]
+              # Single token provided
+              [create_token_from_value(@options[:token])]
+            elsif @options[:scan_file]
+              load_tokens_from_file
+            else
+              # Ensure gitleaks is available for scanning
+              Atoms::GitleaksRunner.ensure_available!
+
+              # Scan to find tokens
+              scanner = Molecules::HistoryScanner.new(
+                gitleaks_config: Ace::Git::Secrets.gitleaks_config_path
+              )
+              report = scanner.scan(min_confidence: "high")
+              report.revocable_tokens
+            end
+          end
+
+          def create_token_from_value(value)
+            # Detect token type from prefix
+            token_type = identify_token_type(value)
+
+            Models::DetectedToken.new(
+              token_type: token_type,
+              pattern_name: token_type,
+              confidence: "high",
+              commit_hash: "manual",
+              file_path: "manual_input",
+              raw_value: value,
+              detected_by: "manual"
+            )
+          end
+
+          # Simple token type detection from value prefix
+          # @param value [String] Token value
+          # @return [String] Token type
+          def identify_token_type(value)
+            case value
+            when /\Aghp_/ then "github_pat_classic"
+            when /\Agho_/ then "github_oauth"
+            when /\Aghs_/ then "github_app"
+            when /\Aghr_/ then "github_refresh"
+            when /\Agithub_pat_/ then "github_pat_fine"
+            when /\Ask-ant-/ then "anthropic_api_key"
+            when /\Ask-/ then "openai_api_key"
+            when /\AAKIA/ then "aws_access_key"
+            when /\AASIA/ then "aws_session"
+            when /\AAIza/ then "google_api_key"
+            when /\Axox[baprs]-/ then "slack_token"
+            when /\Anpm_/ then "npm_token"
+            else "unknown"
+            end
+          end
+
+          def load_tokens_from_file
+            require "json"
+
+            file_path = @options[:scan_file]
+
+            unless File.exist?(file_path)
+              warn "Scan file not found: #{file_path}"
+              return nil
+            end
+
+            content = File.read(file_path)
+            data = JSON.parse(content)
+
+            unless data.is_a?(Hash) && data["tokens"].is_a?(Array)
+              warn "Invalid scan file format: expected {\"tokens\": [...]}"
+              return nil
+            end
+
+            # Validate that raw_value is present - required for revocation
+            tokens_without_raw = data["tokens"].select { |t| t["raw_value"].nil? || t["raw_value"].empty? }
+            unless tokens_without_raw.empty?
+              warn "Error: Scan file missing raw_value for #{tokens_without_raw.size} token(s)."
+              warn "The scan file was likely saved without raw token values."
+              warn "Re-run: ace-git-secrets scan  (saves with raw values by default)"
+              return nil
+            end
+
+            data["tokens"].map do |t|
+              Models::DetectedToken.new(
+                token_type: t["token_type"],
+                pattern_name: t["pattern_name"],
+                confidence: t["confidence"],
+                commit_hash: t["commit_hash"],
+                file_path: t["file_path"],
+                line_number: t["line_number"],
+                raw_value: t["raw_value"],
+                detected_by: t["detected_by"] || "scan_file"
+              )
+            end.select(&:revocable?)
+          rescue JSON::ParserError => e
+            warn "Invalid JSON in scan file: #{e.message}"
+            nil
+          rescue Errno::EACCES
+            warn "Permission denied reading scan file: #{file_path}"
+            nil
+          rescue => e
+            warn "Error loading scan file: #{e.class.name}: #{e.message}"
+            nil
+          end
+
+          def display_results(results)
+            puts "Token Revocation Results"
+            puts "=" * 50
+            puts
+
+            results.each do |result|
+              status_icon = case result.status
+              when "revoked" then "[OK]"
+              when "failed" then "[FAIL]"
+              when "skipped" then "[SKIP]"
+              else "[?]"
+              end
+
+              puts "#{status_icon} #{result.token.token_type}"
+              puts "    Value: #{result.token.masked_value}"
+              puts "    Service: #{result.service}"
+              puts "    Status: #{result.status}"
+              puts "    Message: #{result.message}"
+              puts
+            end
+
+            # Summary
+            revoked = results.count(&:success?)
+            failed = results.count(&:failed?)
+            skipped = results.count(&:skipped?)
+
+            puts "-" * 50
+            puts "Summary: #{revoked} revoked, #{failed} failed, #{skipped} skipped"
+
+            if skipped > 0
+              puts
+              puts "Note: Some tokens require manual revocation."
+              puts "Visit the provider dashboards to revoke them."
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ace/git/secrets/commands/rewrite_command.rb

@@ -0,0 +1,147 @@
+# frozen_string_literal: true
+
+module Ace
+  module Git
+    module Secrets
+      module Commands
+        # CLI command for rewriting Git history to remove tokens
+        class RewriteCommand
+          # Execute rewrite-history command
+          # @param options [Hash] Command options
+          # @return [Integer] Exit code (0=success, 1=failure, 2=error)
+          def self.execute(options)
+            new(options).execute
+          end
+
+          def initialize(options)
+            @options = options
+          end
+
+          def execute
+            # Ensure gitleaks is available
+            Atoms::GitleaksRunner.ensure_available!
+
+            cleaner = Organisms::HistoryCleaner.new(
+              repository_path: ".",
+              gitleaks_config: Ace::Git::Secrets.gitleaks_config_path
+            )
+
+            # Load tokens from scan file if provided
+            tokens = load_tokens_from_file if @options[:scan_file]
+            return 1 if @options[:scan_file] && tokens.nil?
+
+            # First pass - get confirmation requirements
+            result = cleaner.clean(
+              tokens: tokens,
+              dry_run: @options[:dry_run],
+              force: @options[:force],
+              create_backup: @options.fetch(:backup, true)
+            )
+
+            # Handle dry run
+            if result[:dry_run]
+              puts "DRY RUN - No changes made"
+              puts
+              puts result[:message]
+
+              if result[:tokens]
+                puts
+                puts "Tokens that would be removed:"
+                result[:tokens].each do |t|
+                  puts "  - #{t[:type]}: #{t[:masked_value]} (#{t[:file]}:#{t[:commit]})"
+                end
+              end
+              return 0
+            end
+
+            # Handle confirmation required
+            if result[:requires_confirmation]
+              puts result[:message]
+              print "\nConfirmation: "
+
+              input = $stdin.gets&.strip
+
+              unless cleaner.valid_confirmation?(input)
+                puts "\nConfirmation failed. No changes made."
+                return 1
+              end
+
+              # Re-run with force after confirmation
+              result = cleaner.clean(
+                tokens: tokens,
+                force: true,
+                create_backup: @options.fetch(:backup, true)
+              )
+            end
+
+            # Handle result
+            if result[:success]
+              puts result[:message]
+              puts result[:next_steps] if result[:next_steps]
+              0
+            else
+              puts "Error: #{result[:message]}"
+              1
+            end
+          rescue => e
+            puts "Error: #{e.message}"
+            puts e.backtrace.first(5).join("\n") if ENV["DEBUG"]
+            2
+          end
+
+          private
+
+          def load_tokens_from_file
+            return nil unless @options[:scan_file]
+
+            require "json"
+            file_path = @options[:scan_file]
+
+            unless File.exist?(file_path)
+              warn "Scan file not found: #{file_path}"
+              return nil
+            end
+
+            data = JSON.parse(File.read(file_path))
+
+            unless data.is_a?(Hash) && data["tokens"].is_a?(Array)
+              warn "Invalid scan file format: expected {\"tokens\": [...]}"
+              return nil
+            end
+
+            # Validate that raw_value is present - required for history rewriting
+            tokens_without_raw = data["tokens"].select { |t| t["raw_value"].nil? || t["raw_value"].empty? }
+            unless tokens_without_raw.empty?
+              warn "Error: Scan file missing raw_value for #{tokens_without_raw.size} token(s)."
+              warn "The scan file was likely saved without raw token values."
+              warn "Re-run: ace-git-secrets scan  (saves with raw values by default)"
+              return nil
+            end
+
+            data["tokens"].map do |t|
+              Models::DetectedToken.new(
+                token_type: t["token_type"],
+                pattern_name: t["pattern_name"],
+                confidence: t["confidence"],
+                commit_hash: t["commit_hash"],
+                file_path: t["file_path"],
+                line_number: t["line_number"],
+                raw_value: t["raw_value"],
+                detected_by: t["detected_by"] || "scan_file"
+              )
+            end
+          rescue JSON::ParserError => e
+            warn "Invalid JSON in scan file: #{e.message}"
+            nil
+          rescue Errno::EACCES
+            warn "Permission denied reading scan file: #{file_path}"
+            nil
+          rescue => e
+            warn "Error loading scan file: #{e.class.name}: #{e.message}"
+            nil
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ace/git/secrets/commands/scan_command.rb

@@ -0,0 +1,113 @@
+# frozen_string_literal: true
+
+module Ace
+  module Git
+    module Secrets
+      module Commands
+        # CLI command for scanning repository for tokens
+        # Requires gitleaks to be installed (brew install gitleaks)
+        class ScanCommand
+          # Execute scan command
+          # @param options [Hash] Command options
+          # @return [Integer] Exit code (0=clean, 1=tokens found, 2=error)
+          def self.execute(options)
+            new(options).execute
+          end
+
+          def initialize(options)
+            @options = options
+            @config = Ace::Git::Secrets.config
+          end
+
+          def execute
+            # Check gitleaks availability early with clear error
+            Atoms::GitleaksRunner.ensure_available!
+
+            auditor = Organisms::SecurityAuditor.new(
+              repository_path: ".",
+              gitleaks_config: Ace::Git::Secrets.gitleaks_config_path,
+              output_format: output_format,
+              whitelist: load_whitelist,
+              exclusions: load_exclusions
+            )
+
+            # Quiet mode suppresses verbose and uses minimal output
+            quiet = @options[:quiet]
+            verbose = !quiet && @options[:verbose]
+
+            report = auditor.audit(
+              since: @options[:since],
+              min_confidence: @options[:confidence] || "low",
+              verbose: verbose
+            )
+
+            # Save report to file (new default behavior)
+            report_format = @options[:report_format]&.to_sym || :json
+            output_directory = @config.dig("output", "directory")
+            report_path = report.save_to_file(format: report_format, directory: output_directory, quiet: quiet)
+
+            # Print output based on mode
+            if quiet
+              # In quiet mode, only print summary for CI
+              puts report.clean? ? "clean" : "found:#{report.token_count}"
+            elsif verbose
+              # In verbose mode, print full table report
+              puts auditor.format_report(report)
+              puts
+              # Show whitelisted count if any
+              if auditor.whitelisted_count > 0
+                puts "Whitelisted: #{auditor.whitelisted_count} token(s) excluded by whitelist rules"
+                puts
+              end
+              puts auditor.next_steps(report)
+              puts
+              puts "Report saved: #{report_path}"
+            else
+              # Default: summary to stdout, full report to file
+              puts report.to_summary(report_path: report_path)
+              # Show whitelisted count if any
+              if auditor.whitelisted_count > 0
+                puts "Whitelisted: #{auditor.whitelisted_count} token(s) excluded by whitelist rules"
+              end
+              unless report.clean?
+                puts
+                puts auditor.next_steps(report)
+              end
+            end
+
+            # Return appropriate exit code
+            report.clean? ? 0 : 1
+          rescue Atoms::GitleaksRunner::GitleaksNotFoundError => e
+            puts "Error: #{e.message}"
+            2
+          rescue => e
+            puts "Error: #{e.message}"
+            puts e.backtrace.first(5).join("\n") if ENV["DEBUG"]
+            2
+          end
+
+          private
+
+          # Load whitelist from config
+          def load_whitelist
+            @config["whitelist"] || []
+          end
+
+          # Load exclusions from config
+          # ADR-022: Config already contains defaults merged with user overrides
+          def load_exclusions
+            @config["exclusions"]
+          end
+
+          # Determine output format
+          # CLI option takes precedence, then config, then default (table)
+          def output_format
+            @options[:format] ||
+              @config.dig("output", "format") ||
+              "table"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ace/git/secrets/models/detected_token.rb

@@ -0,0 +1,129 @@
+# frozen_string_literal: true
+
+module Ace
+  module Git
+    module Secrets
+      module Models
+        # Represents a detected token in Git history
+        # Immutable value object containing token metadata
+        class DetectedToken
+          attr_reader :token_type, :pattern_name, :confidence, :commit_hash,
+            :file_path, :line_number, :raw_value, :detected_by
+
+          # Confidence levels for token detection
+          CONFIDENCE_LEVELS = %w[high medium low].freeze
+
+          # @param token_type [String] Type of token (github_pat, anthropic_api_key, etc.)
+          # @param pattern_name [String] Name of pattern that matched
+          # @param confidence [String] Confidence level (high, medium, low)
+          # @param commit_hash [String] Git commit SHA where token was found
+          # @param file_path [String] Path to file containing token
+          # @param line_number [Integer, nil] Line number in file
+          # @param raw_value [String] The actual token value (stored for revocation)
+          # @param detected_by [String] Detection method (gitleaks, ruby_patterns)
+          def initialize(token_type:, pattern_name:, confidence:, commit_hash:,
+            file_path:, raw_value:, line_number: nil, detected_by: "ruby_patterns")
+            @token_type = token_type
+            @pattern_name = pattern_name
+            @confidence = validate_confidence(confidence)
+            @commit_hash = commit_hash
+            @file_path = file_path
+            @line_number = line_number
+            @raw_value = raw_value
+            @detected_by = detected_by
+
+            freeze
+          end
+
+          # Returns masked version of token for display
+          # Shows first 4 and last 4 characters with asterisks in between
+          # @return [String] Masked token value
+          def masked_value
+            return "****" if raw_value.nil? || raw_value.length < 12
+
+            prefix = raw_value[0, 4]
+            suffix = raw_value[-4, 4]
+            "#{prefix}#{"*" * [raw_value.length - 8, 4].max}#{suffix}"
+          end
+
+          # Returns short commit hash (7 characters)
+          # @return [String] Short commit hash
+          def short_commit
+            commit_hash[0, 7]
+          end
+
+          # Check if this is a high confidence match
+          # @return [Boolean]
+          def high_confidence?
+            confidence == "high"
+          end
+
+          # Returns service name for revocation
+          # @return [String, nil] Service name or nil if not revocable
+          def revocation_service
+            case token_type
+            when /^github_/
+              "github"
+            when "anthropic_api_key"
+              "anthropic"
+            when "openai_api_key"
+              "openai"
+            when /^aws_/
+              "aws"
+            end
+          end
+
+          # Check if token can be revoked via API
+          # @return [Boolean]
+          def revocable?
+            !revocation_service.nil?
+          end
+
+          # Human-readable provider name for grouping in reports
+          # @return [String] Provider display name
+          def provider_name
+            case revocation_service
+            when "github"
+              "GitHub"
+            when "anthropic"
+              "Anthropic"
+            when "openai"
+              "OpenAI"
+            when "aws"
+              "AWS"
+            else
+              "Manual Revocation Required"
+            end
+          end
+
+          # Convert to hash for serialization
+          # @param include_raw [Boolean] Whether to include raw token value
+          # @return [Hash]
+          def to_h(include_raw: false)
+            h = {
+              token_type: token_type,
+              pattern_name: pattern_name,
+              confidence: confidence,
+              commit_hash: commit_hash,
+              file_path: file_path,
+              line_number: line_number,
+              masked_value: masked_value,
+              detected_by: detected_by,
+              revocable: revocable?
+            }
+            h[:raw_value] = raw_value if include_raw
+            h
+          end
+
+          private
+
+          def validate_confidence(level)
+            return level if CONFIDENCE_LEVELS.include?(level)
+
+            raise ArgumentError, "Invalid confidence level: #{level}. Must be one of: #{CONFIDENCE_LEVELS.join(", ")}"
+          end
+        end
+      end
+    end
+  end
+end